As mentioned previously, you can make your own certificates and private keys for the eDirectory and NetWare instrumentations. If these keys are created, it is important to protect them because the location and name of the custom certificates are hardcoded. The certificate and key files should only be accessible by the logging application itself, which loads locally on the server.
Each Novell Audit server platform requires different steps to protect the custom certificates, which are discussed below.
If you are using a custom application, hardcode the certificate into the application. If you do not want to do this, use the techniques described below to protect the private key file for each application.
On NetWare, the custom certificates and private key files can be protected with file system trustees and inherited rights filters. The NetWare Instrumentation uses sys:\system\nwipkey.pem as the private key. The eDirectory instrumentation uses sys:\system\dsipkey.pem as the private key.
To limit access to the private key files:
Grant the auditor user Object rights to the key files.
Using iManager, or any other management tool, implement an inherited rights filter on the key file.
It is not possible to filter the Supervisor inheritance on files in a file system. Users with Supervisor rights to sys:/system can still access the key files. Therefore, grant Supervisor access to objects and volumes sparingly.
On Windows, the custom certificate and private key files are also protected by file system trustees. The eDirectory instrumentation certificate files to protect are \windows_directory\dsicert.pem and \windows_directory\dsipkey.pem.
To limit access to the private key files:
Grant the auditor user full object rights to the key files.
Give the SYSTEM account read rights to the key files.
Do not allow inherited rights from any file to be propagated to the key files.
NOTE:The owner of a file can always change the rights. System administrators can take ownership of a file. Do not grant excessive numbers of users Administrator rights to the server.
On Linux and Solaris, the private key is stored in /etc/dsipkey.pem.
To limit access to the private key file:
Grant the root user rights to the file.
You can also grant rights to the auditor and the root group. Do not grant read rights to other users of the system.
Assign mode 0400 to the file; verify that the owner of the file is root.
If you have granted rights to the auditor and the root group, assign mode 0440 to the file.